NOTE: If you are experiencing this particular known issue, we recommend that you
Subscribe
to receive email notification each time this article is updated. Subscribers will be the
first to learn about any releases, status changes, workarounds or decisions made.

This Microsoft Update has far‐reaching implications for software that is currently in production. Symantec has reviewed the impact of the update to provide proactive guidance for customers before the update impacts them.

Symantec will update this article in the event circumstances change or new information becomes available.

Solution

Information about the Microsoft® Update

Microsoft released a critical update (KB 2661254) on August 14, 2012, that ends support for certificates using the RSA algorithm that has key lengths less than 1024 bits. Shorter keys have been deemed more vulnerable to brute force attacks due to continued advances in computer processing capabilities. After applying Microsoft’s update, all certificates with key lengths less than 1024 bits will be treated as invalid. Any application that calls into the operating system to validate the digital certificates will receive an invalid certificate response whereas previously it would pass the validation.

Microsoft will begin proactively pushing out this update via its WSUS and Windows Update products on October 9, 2012.

You can find more information about the update in the following links:

The Microsoft Update has far‐reaching implications for software in general. Impact is largely dependent on how certificates are used and validated within the product or the infrastructure that the product interacts with. Any application that validates against certificates will be affected by the update and may fail to operate normally.

Symantec Product Impact

This update DOES NOT impact ITMS or other Symantec Endpoint Management solutions with respect to code signing and authenticode or internally issued and leveraged certificates. Signed code and internally issued/used certificates leverage 1024 bit key length certificates or higher.

This update MAY impact customer environments that have provided their own certificates for SSL infrastructure. This includes SSL console, agent, and site infrastructures, as well as SSL database connections. Symantec recommends reviewing the certificates that are used for ITMS and Altiris Solution infrastructures to ensure they are 1024 bit or higher. If they are less than 1024 bit, follow the instructions provided in the Microsoft KB to increase the key length of the cert and re‐apply it throughout the ITMS and Altiris Solution infrastructure as described in Symantec product documentation.

This update WILL impact ITMS and other Symantec Endpoint Management solution license refresh and license removal processes. License refresh is a recurring schedule that calculates usage against the license issued for Symantec/Altiris products. Generally this is not a high risk as the product will continue to function given the previous licensing data. However, licenses will not recalculate after applying the patch. This may impact cases where licenses have been exceeded or need to be reclaimed. Additionally, the license removal tool will not show Altiris licenses when the patch is applied.

Because of this issue, customers have the following options:

Information about the Microsoft® Update

Microsoft released a critical update (KB 2661254) on August 14, 2012, that ends support for certificates using the RSA algorithm that has key lengths less than 1024 bits. Shorter keys have been deemed more vulnerable to brute force attacks due to continued advances in computer processing capabilities. After applying Microsoft’s update, all certificates with key lengths less than 1024 bits will be treated as invalid. Any application that calls into the operating system to validate the digital certificates will receive an invalid certificate response whereas previously it would pass the validation.

Microsoft will begin proactively pushing out this update via its WSUS and Windows Update products on October 9, 2012.

You can find more information about the update in the following links:

The Microsoft Update has far‐reaching implications for software in general. Impact is largely dependent on how certificates are used and validated within the product or the infrastructure that the product interacts with. Any application that validates against certificates will be affected by the update and may fail to operate normally.

Symantec Product Impact

This update DOES NOT impact ITMS or other Symantec Endpoint Management solutions with respect to code signing and authenticode or internally issued and leveraged certificates. Signed code and internally issued/used certificates leverage 1024 bit key length certificates or higher.

This update MAY impact customer environments that have provided their own certificates for SSL infrastructure. This includes SSL console, agent, and site infrastructures, as well as SSL database connections. Symantec recommends reviewing the certificates that are used for ITMS and Altiris Solution infrastructures to ensure they are 1024 bit or higher. If they are less than 1024 bit, follow the instructions provided in the Microsoft KB to increase the key length of the cert and re‐apply it throughout the ITMS and Altiris Solution infrastructure as described in Symantec product documentation.

This update WILL impact ITMS and other Symantec Endpoint Management solution license refresh and license removal processes. License refresh is a recurring schedule that calculates usage against the license issued for Symantec/Altiris products. Generally this is not a high risk as the product will continue to function given the previous licensing data. However, licenses will not recalculate after applying the patch. This may impact cases where licenses have been exceeded or need to be reclaimed. Additionally, the license removal tool will not show Altiris licenses when the patch is applied.

Because of this issue, customers have the following options:

1. Do not install the Microsoft Update.

2. Temporarily work around the checks from the patch by following Microsoft’s instructions as described in the links above or as found in the section “Workaround Instructions” below.

3. Uninstall the Microsoft Update from in Add/Remove Programs. A system reboot is required after removing the patch. It is not sufficient to just restart AeXSvc after uninstalling the patch.

Note: If you remove all license certificates in this window, it will remove all licensing from the Notification Server similar to the way the license removal tool did. If you do not need to remove everything, you can find a specific license that will need to be removed by opening each license certificate and viewing the details.

You can obtain new license files for your Altiris products generated with 1024-bit encryption by using the Combine License Workshop (CLW) tool that is available through the Symantec Licensing Portal. You can access the Symantec Licensing Portal at https://my.symantec.com

Select your language

Check the “Don’t show me this page again” box

Click on the orange “GO TO MYSYMANTEC” button

Enter the User ID and Password for your SymAccount and click the orange “SIGN IN” button.

Click on the orange “COMBINE LICENSES (English Only)” button.

To generate new license files, use “Option 2: Download Selected Licenses (Singular or Combined)” and follow these steps:

Select the companies for which you want to display available license files.

Select the product for which you want to generate a new license file (Note: You can only select a single product at a time)

Select the license file(s) for which you want to generate a new license file

Click on the double arrows >> to move the license file(s) to the “New license files (to be generated)” area

Click on the orange “Download Now” button to generate and download a new 1024-bit license file

See attachment for screenshots.

If you select a single license file, the process will generate a new 1024-bit license file with the same information that was in the previous license file. If you select multiple license files, the process will generate a new 1024-bit license file that combines nodes from each of the individual license files selected and has a maintenance expiration date equal to the nearest maintenance expiration date.

For example, if you combine one license file for 150 nodes with a maintenance expiration date of January 1, 2013, with another license file for 250 nodes with a maintenance expiration date of January 1, 2014, the new license file will have a maintenance expiration date of January 1, 2014. At the end of the combined license term, you can use the 250 nodes for an additional year by installing the individual license key containing the remaining maintenance.

If you own a product suite that contains licenses for several products, you will need to repeat the process for each affected product. Please note that it is not possible to generate new license files for multiple products at once.

In addition, please note that the Combine License Workshop tool only displays existing license files with a maintenance that has not yet expired. If the maintenance on your product has expired and you do not have a license file for your product with a future maintenance expiration date, you will need to contact Symantec Customer Care to have a new license file manually generated for you. Information on how to contact Symantec Customer Care can be found on Symantec’s web site.